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What is cl a imed is; 

1. A method of detecting a class of viral code, comprising: 
heuristically analyzing a subject file to generate a set of flags along with statistical 
information; 

5 using the set of flags with statistical information to perform at least one search for 

a scan string and/or a statement type in the subject file; and 

triggering a positive detection alarm if each of the at least one search is found at 
least a corresponding predetermined number of times. 

10 2. The method of claim 1, wherein the subject file includes source code in a 

predetermined programming language. 

3. The method of claim 2, wherein the predetermined programming language is 
a script language. 

15 

4. The method of claim 1, wherein the subject file includes a file for a 
predetermined word processor. 

5. The method of claim 1, wherein at least one flag in the set of flags 
20 corresponds to a copy operation associated with one of the class of viral code. 

6. The method of claim 1, wherein at least one flag in the set of flags 
corresponds to an operation for adding data from a string to a target module. 

25 7. The method of claim 1, wherein at least one flag in the set of flags 

corresponds to an operation for importing another code. 

8. The method of claim 1, wherein at least one flag in the set of flags 
corresponds to an operation for disabling virus protection features in a target application. 
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9. The method of claim 1 , wherein the searched statement type corresponds to 
an operation for disabling functionalities in a target application. 

12. The method of claim 1 , wherein the searched statement type corresponds to 
an operation for overwriting system macros. 

11. A program storage device readable by a machine, tangibly embodying a 
program of instructions executable by the machine to perform method steps for detecting 
a class of viral code, the method steps comprising: 

heuristically analyzing a subject file to generate a set of flags along with statistical 
information; 

using the set of flags with statistical information to perform at least one search for 
a scan string and/or a statement type in the subject file; and 

triggering a positive detection alarm if each of the at least one search is found at 
least a corresponding predetermined number of times. 

12. A computer system, comprising: 
a processor; and 

a program storage device readable by the computer system, tangibly embodying 
a program of instructions executable by the processor to perform method steps for 
detecting a class of viral code, the method steps comprising: 

heuristically analyzing a subject file to generate a set of flags along with 
statistical information; 

using the set of flags with statistical information to perform at least one 
search for a scan string and/or a statement type in the subject file; and 

triggering a positive detection alarm if each of the at least one search is 
found at least a corresponding predetermined number of times. 

1 3 . A computer data signal embodied in a transmission medium which embodies 
instructions executable by a computer for detecting a class of viral code, comprising: 
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a first segment including heuristic analyzer code to analyze a subject file to 
generate a set of flags along with statistical information; 

a second segment including scanner code using the set of flags with statistical 
information to perform at least one search for a scan string and/or a statement type in the 
5 subject file, and triggering a positive detection alarm if each of the at least one search is 

found at least a corresponding predetermined number of times. 

14. An apparatus for detecting a class of viral code, comprising: 

an heuristic analyzer, wherein the heuristic analyzer analyzes a subject file to 
10 generate a set of flags along with statistical information; 

a search component, wherein the search component uses the set of flags with 
statistical information generated by the heuristic analyzer to perform at least one search 
for a scan string and/or a statement type in the subject file, and triggers a positive 
detection alarm if each of the at least one search is found at least a corresponding 
1 5 predetermined number of times. 

15. The apparatus of claim 14, wherein the heuristic analyzer is rule-based and 
comprises a heuristic engine and heuristic rules. 

20 16. The apparatus of claim 15, wherein the heuristics engine, using the heuristic 

rules, parses the subject file. 

17. The apparatus of claim 15, wherein the heuristics rules include sets of 
heuristic flags stored in a rules table. 

25 

18. The apparatus of claim 14, wherein the search component is rule-based and 
comprises a search engine and viral code class rules. 

19. The apparatus of claim 14, wherein the search component is a neural 
30 network. 
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